Tag: privacy shield

Heather Burns is a British tech policy and regulation specialist in data protection at Webdevlaw. She educates the profession on the policy issues which impact our work, inspire professionals to participate constructively in the regulatory process, and facilitate cooperation between policymakers and tech. She also works for WordPress core privacy & cross CMS privacy teams.

Prior to the GDPR law enforcement, she gave a speech at London WordPress Camp 2017 about ‘Protecting the web from political uncertainty’ that is still valid today. Let me transcribe you the content of this talk.

TRANSCRIPT:

First of all, there is simply no president for the territory that we, as professionals working in the digital industry, find ourselves in. There is also no burying our heads in the sand about this. Decisions are being made about the policies, the regulations, the systems that you work in, that will impact the way you work.

Indeed, decisions are also being made about the tools that you make. Decisions can hurt the people that use the tools you make and deliberately allow those tools to hurt people.

Nonetheless, whatever your political stance, whatever your beliefs, whatever side you are on, the fact is this: the foundations of the open web are currently under threat.

UK: Brexit

Secondly, in the UK, Brexit and the withdrawal from the European Union as well as the European Data Protection regime will stay for a while. But what comes after that is unknown. And that could end the freedom of movement of data as we have known it. It will spell an end to the freedom of movement of tech talent, which has enabled you to get a job anywhere in Europe or for your European colleagues to come here as they wish. The withdrawal from the Digital Single Market System of the European Union will remove us from a Trading Market worth 450 Billion Pounds to the digital industry. And we are also now dealing with openly xenophobic and authoritarian currents leading to mass digital surveillance.

Moreover, the US is withdrawing from the net neutrality protections that have enabled the free flow of information and commerce. The US is also dealing with openly xenophobic and authoritarian currents, which have resulted amongst other things in mass personal profiling.

Although I can’t tell you what to believe, but I can tell you what I believe.

Indisputably, I can tell you that as, designers and developers, you are people with extraordinary power and influence. You make the tools and see the data. You know better than anyone what needs to be done to protect the people that have entrusted you with their data.

Now, in this talk, I’m going to encourage you to:

Think proactively about self-defense and user protection

Adopt protective workflows and business practices

Prepare you to face the challenge ahead.

1. Think ABOUT USER DATA PROTECTIOn

Regardless of what political stance you hold or what you believe in, the fact of the matter is that people are now working in a climate of fear.

UK – Brexit:

We have the Digital Economy Bill which is enabling data sharing across government on a massive scale, ostensibly for things like fewer poverty or sanctions and punishments.

We have the Investigatory Powers Act, which is the master law that left no less than Edward snowed in, god smacked. Amongst its provisions are mandatory backdoors in hardware, which makes UK a ‘no-go place’ to do business with.

We are also seeing actual deportations from grand-mothers who have lived in this country for 30 years.

US – ’45’:

Initially, the list-building has begun. People are being profile.

As we saw the CIA WikiLeaks dump, there are backdoors in hardware, a bit like in the UK.

Similarly, we are seeing the deliberate calculated removal of regulatory protection and horrific things at border controls, such as the searches you can expect.

We are seeing the deportations of children separated from their families at stall, as a fulfillment of a campaign promise.

Care for the people in the data

To support responsibly your users and address their concerns, you must overcome your apathy. I know that in digital your default settings are ‘politics and laws, not interested in’. You have the luxury of thinking that because you are the 1% by being a digital nomad. You can move to Europe, you can flee somewhere else. But guess what, the 99% of people who will never have the luxury to do that, will live with the consequences of the tools you create.

2. Adopt DATA PROTECTIOn WORKFLOWS

We are in hostile territory. What you must do, you must adopt legal and technical defense strategies. In Europe, we are at advantage as we have an overarching data protection law. In the United States, there is no overarching data protection law, It is divided by sector or by State. You may have heard that California has a very strict data protection law which is now under attack. But, America on a whole doesn’t have a system like we do in Europe. That is very important to know as America is where a lot of data is hold and processed.

For this, you can adopt as a defense strategy, it’s GDPR.

GDPR is a General Data Protection Regulation that has become enforceable on 25th May 2018. We, in the UK, are going to get into this, regardless of Brexit and are going to stay into this for at least a few years. What comes after that, as I said, is a problem that is concerning most of us deeply. But for now, we have a little bit to work with.

This regulation replaces the existing European data protection regime which is from, believe it or not, 1995. You know it here in UK data law act of 1998. GDPR is a much needed update for the digital age. The existing data protection law was from the age of dialogues and floppy discs.

GDPR has new requirements on many things. Things you need to know are:

Accountability: you have to become accountable for and document all your data protection compliance

Consent: you must secure and confirm consent from the people whose data you are using.

Third-party data sharing: there are really strict regulations on third-party data sharing, who you are passing your data to, whether that’s Facebook or a business partner

Data Breaches: these become a bit more enforceable than they have been in the past

Individual Rights: you must be prepared to meet people’s rights over their data

International Data Transfers System. This has been thrown into chaos because of Brexit and the Trump administration.

But for our purposes today, the key take-away from GDPR:

PBD: Privacy by Design

DPBD: Data Protection by Design.

That’s not quite what it means now. It now means:

a) Privacy by Default

Going forward, in your work, whether it’s your website, your apps, what data you take, receive and how you use it, you must provide clear transparent standardised privacy notices. There are templates you can follow with icons and tables. The days of non-sense worthless 30-pages piece written by a lawyer are over.

The PBD calls for Data Minimisation: the less data you have, the less data they can slur. You need to start thinking data as your liability. Reduce the amount of data you are collecting and restoring. There’s going to be mandatory deletion of the data. You are going to be prepared to document when and how you deleted this data. Did you delete it? Prove it!

Increased accountability: you can no longer retrofit in the data protection project after a fault. You have to factor it in the minute you start creating a project.

Enhanced subject access requests: that is the rights people have over their data

Third-party data sharing

b) Data Protection by Default

Privacy impact assessment: you need to start conducting privacy impact assessments right now. What are you collecting? Where is it stored? What’s on your website’s database and what you are doing with it? Secure passwords?

Data retention and deletion

Technical and security accountability

Data Breach preparedness: when a data breach happens, you now have 72 hours to report it to the Information Commissioner’s Office and there is certain information they will require

It is a voluntary agreement used by US companies to ensure compliance with EU standards for EU data. In other words, if you are doing business with a company in America, they must agree to safeguard your data in their regulatory system as if it was still in Europe.

Privacy has always been fragile, imperfect but provides legal certainty.

It may be invalidated soon and already is by Trump. Consequently, do not assume that your data is secure in the USA. You must ensure any US companies you do business with are Privacy Shield Compliant for the EU data protection law. That goes with any third-party companies you do business with.

If you live in the US or in a country that doesn’t have legal framework, you can still use GDPR. It’s a fantastic tool kit with a basic legal framework.

So, let’s go beyond that.

d) Technology in Hostile States: Ten principles for User Protection

It may sound counter-intuitive with what I have just said but do not rely on the law to protect systems or users. Always take further steps.

Prepare policy commentary for quick response to crisis. It means that digital professionals must be prepared to counter-act really stupid political arguments with coherent facts, figures and technical explanations, as soon as that crisis hits.

Only keep the user data that you currently need. It’s GDPR. We can see that these working principles tie in to data protection law.

Give users full control over their data. Users have the rights to ask the company the data they hold about them and to ask them to delete it.

Allow pseudonymity and anonymity: Pseudonymity is data that has been separated from any personally identifiable information. Anonymity allows people to register anonymously. Do not put a Facebook social log-in on your site because everything those users are telling you is going to Facebook.

Encrypt data transit and at rest.

Invest in cryptographic R&D to replace non-cryptographic systems. It doesn’t really concern you if you are small company.

Eliminate single points of security failure, even against coercion: Multiple layers of security like sandboxes, modularisation, voluntary surface reductions, risk privilege. What you are doing on the backend does really matter.

Favour open source and enable user freedom: Advocate freedom to use, to share, to improve software.

Provide privacy gradients: It’s not on or off. Give people multiple choices about how much data they share with you.

Check your external connection requests: we played around yesterday with the plugin called ‘Snitch’. That will tell you what all your plugins are doing.

Don’t send/include personally identifiable data ‘home’: if you are using your plugin to phone home to check the version, that’s great. But if you see that such as and such user at this URL has an insecure blog, you are in trouble.

Theyworkforyou.com / Mysociety.org: these come from UK and use a lot of Government open data but we really have nothing comparable to the level of digital activism that is happening in the US right now.

b) Cliktivism

Signing a petition.

Saying ‘hey I signed this petition’ on social media.

Signing a petition isn’t political activism. I can tell you that 95% of signed-up petitions are list-building exercises for fundraising/collecting money.

Using an automated ‘email your MP’ message. That is the equivalent of spam.

Political activism isn’t memes, hashtags and tweetstorms.

Political activism is not speaking to your filter bubble.

On the contrary, what we need now is:

c) Meaningful engagement

Engage personally with your managers and leaders about these issues.

Engage personally with policymakers such as MPs, parliaments….

Join open rights groups.

Give numbers, figures, and the bottom line. They are interested in your uninformed opinion. Be factual.

Be constructive and cooperative.

Speak through industry bodies.

Here is a slide I really like. This can apply to any sorts of advocacy.

Beyond this, this graph will provide you with more details. Let me explain it:*

You’ve got the rubbish things at the bottom that you don’t do, which are really ineffective, i.e guilt, punishment (breaking the law, getting a fine). It doesn’t work.

As far as requirements are concerned, GDPR is coming and you need to comply. But I’m not trying to use it as a stick to hurt you with.

In regards to rewards, this isn’t a game. Don’t incentivise it!

Instead, enlighten and inspire your colleagues, your industry about these issues and about the way forward.

Even so, all these suggestions I gave you today assume that you have time for movement and work within your organization. Other than that, what happens if you don’t?

d) When the day comes

Then, what happens when you find out when the day comes that someone is expecting you to use the tools you created to hurt people?

And what about when you find out that the tools you have made are already being used to hurt people?

Besides, what if you become aware that the data you have control over has been compromised or misused?

Consequently, you must remember you have the responsibility to care for the people in your data and may be called upon to do something. You need to search yourself and may be prepared to refuse a Government request and to leak responsibly data. The most professional and ethical thing you can do in your career is drop a table. You may be called on to delete data and even may be called on to sabotage it.

e) You think that’s radical. It’s not. It’s called ‘ethical hacking’

Thus, let me introduce you to my new hero. So, anyone here from France? Do you know who this is?

Does anyone know what that is in the background? It’s a punch card. This was a fellow called René Carmille.

He was a punch card computer expert and a controller general of the French army in the 1940s, who ran the demographics department of Vichy and later the France’s national statistics service. Additionally, he looked after the technology behind the French census, which ran on punch cards.

Clearly, punch cards are wonderful in innocuous form of technology.

However, the Nazis came along. The punch cards running IBM technology became the means by which the whole holocaust was carried out.

So, what did René do? He sabotaged the census. Together with his team, they purposely delayed the census by mishandling punch cards and leaving stored layers of them in the backroom for 2 years. He also hacked his own machines. Column 11 in the punch card displayed the person’s religious status, so the Nazis could find out who and where all the Jews were. Also, he hacked the machines so that they couldn’t punch anything into column 11. Likewise, this worked for few years and they got him.

But what did it accomplish? This resulted in the deportation and execution of 73% of all Jews in the Netherlands because of his data sabotage and ethical hacking.

4. Conclusion

Finally, billionaires at tech companies do not change the world. The world changes through quiet dignified acts of civil disobedience. God forbid, when the day comes, when you have to make that choice, what legacy will your code leave to the world?